Gax

1. Hardcoded Key and IV We've found that the key and IV is hardcoded in the code [here](https://github.com/jeecgboot/jeecg-boot/issues/2462), but it seems they have been abandoned according to another issue [here](https://github.com/jeecgboot/jeecg-boot/issues/2462)....

2. Broken algorithm The algorithm used in file `PasswordUtil.java` [here](https://github.com/jeecgboot/jeecg-boot/blob/master/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/PasswordUtil.java#L26) is PBEWithMD5AndDES. But this algorithm is regarded as insecure because both MD5 and DES are considered to be weak. ```java...

3. SHA1withRSA and AES/ECB insecure These two algorithms are used in file `SecurityTools.java` [here](https://github.com/jeecgboot/jeecg-boot/blob/master/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/security/SecurityTools.java#L21) and [here](https://github.com/jeecgboot/jeecg-boot/blob/master/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/security/SecurityTools.java#L30). ```java public class SecurityTools { public static final String ALGORITHM = "AES/ECB/PKCS5Padding"; public static...

I copy the following content from Wiki: "When the standard was written in the year 2000 the recommended minimum number of iterations was 1,000, but the parameter is intended to...

To be honest, learned a lot, LOL.

Actually, I'm designing a new tool for detecting cryptographic vulnerabilities in Python. And to report some vulnerabilities we have just found. You know, only for papers.

Sounds interesting! And bro, you are truly a security fanatic(at least from my perspective.